Bogus "Security Tool" hijacked my PC

[TimAndrews]

Hi, Need help getting started, quick scan of the forums did not show me a thread like this but I am sure I'm not the first to get this.

About 2/3 through startup my desktop dissapears replaced by a blud background and a professional looking box from the "Security Tool" which claims to have found X number of malware and telling me I should register the product to remove the malware. I also have icons throwing up warnings that name legit programs I have running and labling them as threats trying to send out my credit card info. Sofar anything I try to run has been stopped, spybot, hyjack this, avast, windows defender, all do nothing when I try to run them. Firefox will work but malware removal sites seem to be blocked (like this one).

I tried the exehelper and malware remover tools mentioned in these frequently in these forums. 2 problems. First most of your instructions start with "drag to desktop. Looks like my desktop is being blocked by a window, I cant get to it. I created a folder on my C: drive and tried to run the files from there, but again no dice. Anything I try running, dosent run and is immediatly flagged as malware which "Security Tool" wil gladly remove if I register the app.

Any ideas for a first step?

And no unfortuantely I havent done any of the first steps listed in the "stickies" as I have been unable to do so.

I am writing this from a different PC.

[peku006]

Hello and to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

• If you don't know or understand something please don't hesitate to ask
• Please DO NOT run any other tools or scans whilst I am helping you.
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

1 - Download DDS

Please disable any anti-malware program that will block scripts from running before running DDS.

Please downloadDDS from one of the links below and save it to your desktop:


Download DDS and save it to your desktop from Link1
Link2
Link3
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

2 - Status Check
Please reply with

• DDS.txt
• Attach.txt

Thanks peku006

[TimAndrews]

Tried to run dds, and got nothing.

I am unable to get to my desktop in the usual way, I have to navigate to the desktop folder. I saved dds there and tried to run it. Nothing happened except the "Security Tool Warning" flagged dds.scr as malware. I may have been running TeaTimer, but I cant verify that or shut it off in the conventional way as the "Security Tool" is blocking Spybot, so I cannot verify if Teatimer is running or disable it through the program.

What do you suggest I try next?

Thanks in advance, I do appreciate the help.

[peku006]

Hi TimAndrews

Let´s try this........

Download and run Win32kDiag:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   • Download Win32kDiag (Win32kDiag.exe) - #1
   • Download Win32kDiag (Win32kDiag.exe) - #2
   • Download Win32kDiag (Win32kDiag.exe) - #3
2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Thanks peku006

[TimAndrews]

Win32kDiag.exe does not run successfully. I see a brief flash of the window and its gone. Logfile created has only 4 lines:

Running Win32kdiag....
Logfile.............
Warning Could not get backup privalages
Searching 'C:/windows'

Note, these are done from memory not cut and paste, but the lines were identical to the opening lines of this logfile I have seen others post here. Win32kDiag is being stopped.

Also note, the above had to be done from memory as any attempt to open the the logfile failed, several editors were tried, only notepad kept the file open for just long enough for me to see the contents.

[peku006]

Hi TimAndrews

Let´s try Malwarebytes Anti-Malware .......

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it

• Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
• Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
• If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
• Right-click on mbam.exe, rename it to myscan and change the .exe extension in the same way as noted above.
• Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.

With that done run full scan with it and post back its report ,with a fresh HiJackThis log

Thanks peku006

[TimAndrews]

Ok, not sure what happened, but things are different all the sudden. The "Security Tool" windows are gone, as well as the icons in the task bar on the right which used to be showing the constant warnings. my background is gone but my desktop is now reachable which it was not before. The onlt thing I did (after the failure in the note above) was to try and see what I could do on the pc, after a few failed attempts at opening apps I got a bluescreen bios tyoe error message and the system restarted. When I came back and started it to try your latest suggestion it was like this.... strange. I know things are still infected I have seen a popup or two, so I an still going to work this thru with you, sooooo......

I downloaded Malwarebytes' Anti-Malware and installed it. All went well untill the end of the install process, I think it was truint to run the app, and I get an error that it was unable to execute the file because it could not fine mbam.exe
I looked and its not there. the rest of the files, yes, but no mbam.exe
???

Since that didnt work, and the pc was feeling different I tried following your earlier suggestions. I was able to run DDS, and I am attaching the logs below. Mabey we can start from there.

DDS.txt

DDS (Ver_09-09-29.01) - NTFSx86
Run by user at 13:52:08.87 on Sat 10/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.263 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 091009-0] *On-access scanning enabled* (Updated)

{7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\DOCUME~1\ALLUSE~1\APPLIC~1\99587745\99587745.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} -

c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: : {206e52e0-d52e-11d4-ad54-0000e86c26f6} - c:\progra~1\freshd~1\freshd~1\fdcatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program

files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: {cbd55d83-a001-4e8a-b093-34a14e83cadd} - dolaribe.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} -

c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim6]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [86767943] c:\documents and settings\all users\application data\86767943\86767943.exe
mRun: [82142320] c:\documents and settings\all users\application data\82142320\82142320.exe
mRun: [zudikotar] Rundll32.exe "c:\windows\system32\jebanemu.dll",a
mRun: [99587745] c:\docume~1\alluse~1\applic~1\99587745\99587745.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\user\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital

imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak

easyshare software\bin\EasyShare.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Kodak EasyShare

software.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Kodak software updater.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program

files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program

files\via\raid\raid_tool.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program

files\yahoo!\common\yiesrvc.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program

files\bonjour\ExplorerPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: ppctlcab - hxxp://69.44.122.156/scanner/ppctlcab.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://69.44.122.156/scanner/axscanner.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://amer-ml36.amer.csc.com/iNotes6W.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -

hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - hxxp://www.webshots.com/samplers/WSDownloader.ocx
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} -

hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://meetdbm.webex.com/client/wbs26-vzbprodcn/webex/ieatgpc.cab
DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab
DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - hxxp://download.35mb.com/images/downloadapplet.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Filter: text/html - {fcf81844-7cb8-4ff8-a3c7-a964705d03a1} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: 32\ c:\windows\system32\jebanemu.dll sapoviri.dll c:\windows\system32\lavusita.dll
SSODL: nurogewow - {efab77e1-330f-404d-a8c0-ae6d424328e2} - c:\windows\system32\jebanemu.dll
STS: kupuhivus: {efab77e1-330f-404d-a8c0-ae6d424328e2} - c:\windows\system32\jebanemu.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -

c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = holiwaga.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\vhxlsyc9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-7-8 77312]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-11 114768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-7-10 353672]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-9-2 138680]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update

service\IntuitUpdateService.exe [2008-10-10 13088]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2004-8-1 34916]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe

[2009-2-5 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-9-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-9-2 352920]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-10-5 13592]

=============== Created Last 30 ================

2009-10-10 13:48 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-10-10 13:44 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-10 13:44 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-10 13:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-10 13:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 07:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\99587745
2009-10-07 16:39 <DIR> --d----- C:\stuff
2009-10-07 12:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\82142320
2009-10-07 10:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\86767943
2009-10-03 01:57 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-10 22:39 <DIR> --d----- c:\program files\iPod
2009-09-10 22:39 <DIR> --d----- c:\program files\iTunes
2009-09-10 22:39 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-10 07:57 37,376 a--sh--- c:\windows\system32\depopuho.dll
2009-07-10 07:57 1,011,429 a--sh--- c:\windows\system32\dubuwemo.exe
2009-07-09 19:58 51,712 a--sh--- c:\windows\system32\fifugiku.dll
2009-07-07 12:12 37,888 a--sh--- c:\windows\system32\fikitiku.dll
2009-07-07 10:34 1,050,147 a--sh--- c:\windows\system32\ganafihe.exe
2009-07-09 19:57 51,712 a--sh--- c:\windows\system32\gasesila.dll
2009-07-09 19:57 27,136 a--sh--- c:\windows\system32\gasowihu.dll
2009-07-09 19:57 1,011,269 a--sh--- c:\windows\system32\gukowema.exe
2009-07-09 19:58 51,712 a--sh--- c:\windows\system32\holiwaga.dll
2009-07-09 19:57 89,088 a--sh--- c:\windows\system32\jebanemu.dll
2009-07-10 07:57 88,576 a--sh--- c:\windows\system32\lavusita.dll
2009-07-07 13:10 37,888 a--sh--- c:\windows\system32\majudusu.dll
2009-07-07 13:10 89,088 a--sh--- c:\windows\system32\molugivu.dll
2009-07-07 10:34 26,624 a--sh--- c:\windows\system32\rahuziti.dll
2009-07-07 12:12 1,050,147 a--sh--- c:\windows\system32\rovudoku.exe
2009-07-09 19:58 51,712 a--sh--- c:\windows\system32\sapoviri.dll
2009-07-09 19:57 38,400 a--sh--- c:\windows\system32\yaponema.dll
2008-09-07 10:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008090720080908\index.dat
2009-05-01 13:52 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-05-01 13:52 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-05-01 13:52 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:53:23.75 ===============

***************************************************
Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/8/2004 1:55:03 PM
System Uptime: 10/10/2009 7:33:37 AM (6 hours ago)

Motherboard: ASUSTeK Computer Inc. | | K8V
Processor: AMD Athlon(tm) 64 Processor 3000+ | Socket 754 | 2002/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 51.642 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\3&267A616A&0&50
Manufacturer: Marvell
Name: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\3&267A616A&0&50
Service: yukonwxp

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


1310
1310_Help
1310Tour
1310Trb
ACDSee 6.0 Standard
Acrobat.com
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
AIM 6
AiO_Scan
AIOMinimal
AiOSoftware
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AOL Instant Messenger
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HYDRAVISION
ATI Multimedia Center
ATI Multimedia Center 9.01
ATI Remote Wonder 2.3
ATIRW2
AutoUpdate
avast! Antivirus
AviSynth 2.5
Baldur's Gate(TM) II - Shadows of Amn(TM)
Bejeweled 2 Deluxe 1.0
Bonjour
CCleaner (remove only)
CCScore
Copy
CreativeProjects
DAO
DAO 3.5
Director
DivX
DivX Player
DocProc
Documents To Go 3.00
Doom 3
DOOM 3: Resurrection of Evil
EditPlus 2
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
Far Cry
Fax
Forté Agent
FreshDownload
Google Earth
Google SketchUp
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
HPSystemDiagnostics
Indeo® software
InstantShare
iTunes
J2SE Development Kit 5.0 Update 4
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_12
Java 2 SDK, SE v1.4.2_12
Java(TM) 6 Update 15
Java(TM) 6 Update 7
jEdit 4.2
Jpg Bmp Tif Wmf Png to Pdf Converter 3000 7.4
K-Lite Codec Pack 4.7.0 (Full)
Kodak EasyShare software
KSU
Logitech SetPoint
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MC2 Expansion Pack
MC2 Unofficial Patch Ver. 1.7
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MechCommander 2
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
mIRC
MobileMe Control Panel
Mozilla Firefox (3.0.14)
MSN Messenger 6.2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NetBeans IDE 4.1
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Overland
Palm Desktop
PhotoGallery
PowerDVD
PrintScreen
QFolder
Quicken Deluxe 2000
QuickProjects
QuickTime
Readme
RealArcade
RealPlayer
Scan
Scorched3D
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SFR
SFR2
SHASTA
ShowBiz
SKIN0001
SkinsHP1
SkinsHP2
SKINXSDK
SmartFTP
Sonic DLA
Sonic RecordNow DX
Sonic Simple Backup
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Swarm
TexNotes version 3.6
Tranquillity 1.0
TrayApp
tunebite 3.0.1.8
TurboTax 2008
TurboTax 2008 wdeiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnjiper
TurboTax 2008 wrapper
TurboTax Deluxe 2007
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Ventrilo Client
VIA Integrated Setup Wizard
Videora iPod nano Converter 4.04
Viewpoint Media Player
VPRINTOL
WebEx
WebFldrs XP
WebReg
Webshots Desktop
WexTech AnswerWorks
Winamp
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Safety Scanner
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WIRELESS
World of Warcraft
Yahoo! Address AutoComplete
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
YouTube Downloader App 1.01
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

10/7/2009 1:06:19 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 4 time(s).
10/7/2009 1:06:16 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 3 time(s).
10/7/2009 1:05:53 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 2 time(s).
10/7/2009 1:05:52 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 8:00:23 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
10/3/2009 8:00:23 AM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

[peku006]

Hi TimAndrews

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

[TimAndrews]

Well I had to shut the machine down and now the "wierdness" that allowed me to run DDS yesterday is gone, and "Security Tool" is in control again.

I was able to download Combofix, and disable everything I could, but ComboFix is being stopped/intercepted when I try to run it. I get a brief flash of a progress bar as combofix loads, then nothing, no combofix screen.

[peku006]

Hi TimAndrews

let's try unlock Combofix with the following tool.

Restore Permissions for combofix.exe

Please download Inherit by sUBs

Copy and paste the Inherit file into the same folder as combofix.exe.

1. Drag and drop combofix onto Inherit
2. This shall restore permissions to the application
3. The application should now run normally

Does that help?

Thanks peku006